Fix AWS Lambda Container Image Pull Failed

Introduction

Lambda can use container images up to 10GB from ECR. When the function can't pull the image, invocations fail before the code even runs. This typically happens due to ECR permissions, image format issues, or Lambda function configuration errors.

Symptoms

Function invocation error:

```bash $ aws lambda invoke --function-name my-container-function output.json

{ "errorMessage": "Image could not be pulled", "errorType": "ImagePullFailure" } ```

Lambda console error:

The image could not be pulled from ECR. Check the ECR repository permissions and the image configuration.

CloudWatch Logs:

```bash $ aws logs filter-log-events --log-group-name /aws/lambda/my-function

INIT_START Init Duration: 1500.00 ms Failed to download image: ResourceNotFoundException ```

ECR access denied:

An error occurred (AccessDeniedException) when calling the GetDownloadUrlForLayer operation

Common Causes

1. 1.ECR repository permissions missing - Lambda can't access ECR
2. 2.Image not in Lambda-compatible format - Missing ENTRYPOINT or CMD
3. 3.Image too large - Exceeds 10GB limit
4. 4.Image in wrong region - ECR in different region than Lambda
5. 5.Private ECR without permissions - Cross-account access denied
6. 6.Image manifest issues - Multi-arch image without arm64/amd64 specific
7. 7.Lambda execution role missing ECR permissions

Step-by-Step Fix

1. 1.Check logs for specific error messages
2. 2.Verify configuration settings
3. 3.Test network connectivity
4. 4.Review recent changes
5. 5.Apply corrective action
6. 6.Verify the fix

Step 1: Check ECR Repository Permissions

```bash # Get repository policy aws ecr get-repository-policy --repository-name my-lambda-image

# If empty or missing Lambda access, add policy: aws ecr set-repository-policy \ --repository-name my-lambda-image \ --policy-text '{ "Version": "2008-10-17", "Statement": [ { "Sid": "LambdaPull", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }' ```

For cross-account Lambda:

aws ecr set-repository-policy \
  --repository-name my-lambda-image \
  --policy-text '{
    "Version": "2008-10-17",
    "Statement": [
      {
        "Sid": "CrossAccountLambdaPull",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::TARGET_ACCOUNT:root"
        },
        "Action": [
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "ecr:BatchCheckLayerAvailability"
        ]
      }
    ]
  }'

Step 2: Check Lambda Execution Role

```bash # Get function execution role aws lambda get-function-configuration --function-name my-container-function \ --query 'Role'

# Role needs ECR permissions aws iam get-role-policy --role-name lambda-execution-role --policy-name ecr-access

# Add ECR permissions if missing aws iam put-role-policy \ --role-name lambda-execution-role \ --policy-name ecr-access \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:GetAuthorizationToken" ], "Resource": "*" } ] }' ```

Step 3: Verify Image Configuration

```bash # Inspect image locally docker inspect my-lambda-image:latest

# Check for ENTRYPOINT and CMD docker inspect my-lambda-image:latest --format='{{json .Config Entrypoint}}' docker inspect my-lambda-image:latest --format='{{json .Config.Cmd}}'

# Lambda requires either ENTRYPOINT or CMD # Handler is passed as argument to ENTRYPOINT ```

Lambda-compatible Dockerfile:

```dockerfile # Example for Python FROM public.ecr.aws/lambda/python:3.11

# Copy function code COPY app.py ${LAMBDA_TASK_ROOT}

# Set handler CMD ["app.handler"]

# Or use ENTRYPOINT ENTRYPOINT ["/lambda-entrypoint.sh"] CMD ["app.handler"] ```

Step 4: Check Image Size

```bash # Check image size docker images my-lambda-image

# Lambda limit: 10GB total # If exceeds limit, reduce size:

# Remove unnecessary files docker build --no-cache -t my-lambda-image .

# Use multi-stage build FROM python:3.11-slim as builder WORKDIR /app COPY requirements.txt . RUN pip install --target=/app/deps requirements.txt

FROM public.ecr.aws/lambda/python:3.11 COPY --from=builder /app/deps ${LAMBDA_TASK_ROOT} COPY app.py ${LAMBDA_TASK_ROOT} CMD ["app.handler"] ```

Step 5: Verify ECR and Lambda Region Match

```bash # Get ECR repository region aws ecr describe-repositories --repository-names my-lambda-image \ --query 'repositories[*].repositoryUri'

# URI shows region: account.dkr.ecr.region.amazonaws.com

# Get Lambda function region aws lambda get-function-configuration --function-name my-container-function \ --query 'FunctionArn'

# Must be same region or Lambda can't pull ```

For cross-region:

```bash # Copy image to Lambda's region aws ecr create-repository --repository-name my-lambda-image --region target-region

docker tag my-lambda-image:latest account.dkr.ecr.target-region.amazonaws.com/my-lambda-image:latest docker push account.dkr.ecr.target-region.amazonaws.com/my-lambda-image:latest

# Update Lambda function with new image aws lambda update-function-code \ --function-name my-container-function \ --image-uri account.dkr.ecr.target-region.amazonaws.com/my-lambda-image:latest ```

Step 6: Test Image Pull Locally

```bash # Pull image from ECR aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin account.dkr.ecr.us-east-1.amazonaws.com

docker pull account.dkr.ecr.us-east-1.amazonaws.com/my-lambda-image:latest

# Run locally to verify handler docker run -p 9000:8080 account.dkr.ecr.us-east-1.amazonaws.com/my-lambda-image:latest

# Test invocation curl -XPOST "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{"test": "data"}' ```

Step 7: Check Image Architecture

```bash # Lambda supports x86_64 and arm64 # Check image architecture docker inspect my-lambda-image --format '{{.Architecture}}'

# Get Lambda function architecture aws lambda get-function-configuration --function-name my-container-function \ --query 'Architectures'

# They must match: # x86_64 image -> x86_64 Lambda # arm64 image -> arm64 Lambda

# If mismatch, update Lambda architecture aws lambda update-function-configuration \ --function-name my-container-function \ --architectures arm64 ```

For multi-arch images:

```bash # Build for specific architecture docker buildx build --platform linux/amd64 -t my-lambda-image:amd64 .

docker buildx build --platform linux/arm64 -t my-lambda-image:arm64 .

# Push correct architecture docker push account.dkr.ecr.region.amazonaws.com/my-lambda-image:amd64 ```

Step 8: Verify ECR Image Exists

```bash # List images in repository aws ecr list-images --repository-name my-lambda-image

# Get specific image details aws ecr describe-images --repository-name my-lambda-image --image-ids imageTag=latest

# Check Lambda function image URI aws lambda get-function-configuration --function-name my-container-function \ --query 'Code.ImageUri'

# Must match an existing image in ECR ```

Step 9: Check for Manifest Issues

```bash # For multi-arch images, Lambda needs specific manifest # Check manifest docker manifest inspect account.dkr.ecr.region.amazonaws.com/my-lambda-image:latest

# If multi-arch without correct platform, push platform-specific tag: docker push account.dkr.ecr.region.amazonaws.com/my-lambda-image:latest-arm64

# Update Lambda with specific tag aws lambda update-function-code \ --function-name my-container-function \ --image-uri account.dkr.ecr.region.amazonaws.com/my-lambda-image:latest-arm64 ```

Step 10: Update Function with Valid Image

```bash # After fixing issues, update function aws lambda update-function-code \ --function-name my-container-function \ --image-uri account.dkr.ecr.us-east-1.amazonaws.com/my-lambda-image:v1.0

# Wait for update to complete aws lambda wait function-updated --function-name my-container-function

# Check function status aws lambda get-function-configuration --function-name my-container-function \ --query 'State' # Should be: Active ```

Lambda Container Image Requirements

Verification

```bash # Test invocation aws lambda invoke --function-name my-container-function output.json

# Check output cat output.json

# CloudWatch should show successful init aws logs filter-log-events \ --log-group-name /aws/lambda/my-container-function \ --filter-pattern "INIT_START" ```

Related Issues

• [Fix AWS Lambda Memory Limit Exceeded](/articles/fix-aws-lambda-memory-limit-exceeded)
• [Fix AWS Lambda Cold Start Latency](/articles/fix-aws-lambda-cold-start-latency)
• [Fix AWS ECR Repository Policy Denied](/articles/fix-aws-s3-bucket-policy-denied)

Related Articles

• [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
• [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
• [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
• [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
• [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS Lambda Container Image Pull Failed", "description": "Troubleshoot Lambda container image pull failures. Fix ECR permissions, image formats, and Lambda function configuration.", "url": "https://www.fixwikihub.com/fix-aws-lambda-container-image-pull-failed", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-01T11:13:35.658Z", "dateModified": "2026-04-01T11:13:35.658Z" } </script>